These are unedited transcripts and may contain errors.
Cooperation Working Group,
Thursday, 16 May, 2013, at 11a.m.:
PATRIK FALSTROM: Hello, everyone. This is the meeting of the Cooperation Working Group at RIPE 66 in Dublin. So, in parallel with this meeting, there is a WTPF in Geneva, where it was opened in a blue helmet. While doing that, he said he will not take over the Internet and neither will I. So, with that, I hand over to the microphone and agenda to Maria, that will chair today's session.
MARIA HALL: Thank you very much, Patrik, and that is kind of sets the scene for this session, I think. Maybe you need the helmet the rest of the session, I don't know. I don't think so. I don't hope so. Anyway, thank you very much for coming to the RIPE Cooperation Working Group. I would like to present a few things for the agenda today.
And the first session, the first session or the part of this session is going to be an update from RIPE NCC on external relations, Paul made a short presentation yesterday in the plenary but he is going to go maybe a little bit more into details today because we have Chris Buckridge here from RIPE NCC who actually was in Geneva so it's been really interesting to hear what has happened and the what the status is right now, because it's not over yet, still going on. We have going to have a video?link with Andrea is going to talk about the EID regulation coming up, so that will be very interesting and I will also tell you a few words what I am doing now, because since February I am no longer working for the Swedish ministry of enterprise, energy and communication which I did before for ten years actually. Now I am CEO for Swedish university network, it's still governmental because I am connected to the ministry of education but it's a different role and I met several of you at the RIPE NCC from a different angle, that is a very interesting for me. I will say a few words what I am doing and what I am thinking could be a potential way forward to build in the NRENs more in the Internet Gough /RAPBS field. I hope to have a few questions and ideas from you. We will talk about a public policy cooperation, we are going:
Paul, a short presentation on what is happening.
PAUL RENDEK: Good morning. And I am the Director of External Relations for the RIPE NCC and I am going to give you a short, short presentation about some of the developments. Actually I will try to be as quick as possible because I have got my great colleague, Chris Buckridge who is doing this presentation together with me. The reason we have done this split is I will give you some of the general pieces and details of some of the strategy that we are going into and Chris is going to give us a hot off the press coverage of what has happened in Geneva. I am very proud of the way that he represented our community and this regional Internet registry at the RIPE NCC at that event and he has got lots of news for us and I have engaged with him this morning and asked him to give us the stories, the first?hand stuff, what did we see, what kind of governments we are talking to and who was saying what, what is the kind of juice we probably want to see in here and discuss.
I provided this slide to you yesterday and I am giving a little bit of update and going into a bit more detail for this particular group. As you can see, we have got a great team of people, and I think most of you recognise Chris Buckridge, Sandra and Marco as part of a soup team that I have. It's a small but a very punchy team. I can tell you that. And you see one square here that I didn't have on my presentation yesterday, and it says "Russian". Why is that? For quite some time, and because of the size of the region and the languages that we have in Central Asia and in Russia, I have been looking to add a Russian to our team of external relations experts that we have at the RIPE NCC. I am quite far in where I am there, and I hope to announce somebody new on this team that will be able to help us move some of the work that we are doing into that part of our region. I think it's very important.
The great thing is, the reason why we have done this is because of all the feedback we get from the survey and from our focus groups. We have had basically the call and the need for this kind of a person inside of our company. So I am happy we will be able to deliver that for you.
So, if we look at this year then, I'd like to say we have got quite some engagement in Europe, in the European region. We feel that we have made some ground there. I think some of the future growth in the focus for us is going to be engaging into the Middle East and into the Russia and CIS area. I think this is a part that we need to make sure that we cover for various reasons, I am sure you can see. And of course, as I said yesterday, there is an increased interest in other interested parties and stakeholders in RIPE NCC and in RAR activities and we need to engage with these people.
So what do we do? We represent our membership and our community in international forums and this is the most important function of the external relations group. I think a lot of people look at this or look at what we do and say oh, yes, they are out there somewhere, just chatting with governments and other stakeholders. No, our actual primary focus is on what we need to be doing from the membership and from the community perspective. This is what drives us in everything that we do outside. And we inform our membership and our community on the developments and what is happening in Internet governs. I think of course, it's hard to probably every little piece of what we are doing, we document this and put it on our website and we realise you are very busy and can't go through every detail but we try to give it to you in a digestible format so you can get an idea of what we are doing. And we contribute to national, regional and global policy governance discussions. We do that with RIR colleagues and other organisations that are involved in Internet administration, namely ISOC. We have got great relations with them and do a lot of stuff externally with them as well.
We organise cooperative initiatives with other stakeholders and this is particularly in a capacity building area. We have championed some great things with the public and private sector kind of hat on doing IPv6 roadshows in the Middle East, together with us as Internet ?? RIRs and governments and organising these things together so that is kind of ban great thing to be able to show the world that we can have come cooperation here.
And we have regional engagement with our membership and our community. So I have taken also a very big personal interest in driving us in that arena, so I am hoping that we can keep going with our headway there.
So some major events and developments. You know we have got increasing work with the law enforcement agencies. We can see that that is probably not as scary as I said yesterday a word as it probably used to be. I think we have been very clear in telling these agencies what we can and cannot give to them, which has made the relationship, you know, it's given us the right kind of formula that we immediate for what kind of relationship we can have going forward. I think we would like to keep that as transparent as possible because we want to know what your relationship is with these law enforcement agencies. We have a regional issue which is the Arab RIR issue, I want to talk to you a little in more detail about what is going on there. And then I will hand over to Chris to talk about these bits and he will get ?? I will be quite short here and hopefully he can get into some of the bits of what is happening recently.
So working with law enforcement. We have an annual meeting that take place in March, alongside the global E cripple congress. This is a fantastic event for us. The law enforcement agencies give us almost a full day of their week long conference to engage with the RIRs so, we take that opportunity because we usually get anywhere from 50 to 80 of these top law enforcement representatives from countries that come into the room and are interested to see what is going on and what are the developments happening in the RIR regions and how they can work with us and how we can help them to see what they should be looking for. Well, we are not helping them do their work but we are helping them to see what data is out there that they can use on their own so that they wouldn't have to run to the registry all the time to ask us questions. There is this publically available data and they should be able to mind this.
So we have done some work this that area which is really in training and consultation with them. The groups that we are working with pretty level with the European cybercrime centre, or Europol, Interpol, SOCA, I have to say SOCA has been a champion in leading the other law enforcement agencies to say go speak to the RIRs, they are pretty great people and they are easy to talk to to, reach out if you have got questions and you are not sure what is going on. They will tell you what they can and cannot do for you. There is Cepol, European police college, we have done some work there, given them some materials to be able to train some of their people.
Interpol, we were recently invited, Marco and I both gave keynote speeches at the Interpol meeting in Dubai which had all the Middle East police represented there and a lot of the north African police folks. So, we have kind of reached in that area and doing some of the work in that part of the region and we have recently had a training in the United Arab Emirates for the police, Dubai, Abudabi, they were all there.
So working with law enforcement. So we have a work ship at the IGF we are organising together with Netnod and EC 3 and looking at the multi?stakeholder approaches there.
Some background here: At the WTSA wicked meeting, I am sure we discussed all of this with you before, we went to that huge meeting, what jumped out that have the UAE from the left field, proposed that the ITU begin the process of becoming an IP registry for IPv6. We have listed here there is a resolutions at the ITU that was brought forward on that resolution 64, the revision 2, resolution 64. Some support for investigating this situation took place. We had to do some fancy footwork as RIRs. I can't say that we worked, we spread out selves out and ran for the governments and got them to take that text away from going into the wicket process and put it into the study groups and let them work on that a bit more in the ITU. For that we could say that that clearly some great work by the RIRs. I think from the governments you can see probably. Maybe we, from the community, don't see what a win that would be, but I think from the government side those that would support that, they can see how much work that took to get it there.
Then, from this, really, we had some talk amongst some of the Middle East stakeholders. They got themselves together, the Arab group got together with ICANN, and what came out of some bilaterals there was something very interesting to my ears and that was the idea of an Arab RIR.
This obviously effects both AfriNIC and the RIPE NCC area because as I had mentioned, this would cover Middle East plus north Africa, so you would be effectively splitting up currently what you see two RIRs servicing. So of course we are engaging with our members, we did inform these governments what we thought of this. The whole idea of bringing up an RIR, if it's coming from our membership is not a funny thing, this has happened before, LACNIC and AfriNIC that have come out of these discussions. This was brought forward by governments, a very different angle and one we are not used to seeing in championing further RIRs so we issued a public statement that I am sure some of you probably saw, we felt we needed to issue this because we wanted to make sure we told our members that in no way were we pushing them out for them to go out and form some kind of RIR. If that is what they wanted, we are in full support but we need to see that coming from the members.
So as you can see there was some discussions that took place, I brought this forward in all the forums I have been going to in the last four or five months, also along with my team in the forums that they have been going to.
So, one of the big things we want to point out here, there is an existing framework to establish a new RIR and we made that very clear to the governments took an interest. And you can see the ICP2 ICANN document, criteria for establishing a new Internet registry and these are the points that that they come with forming an RIR.
Engaging in the ITU processes. At this stage, I am going to us this on to Chris. He is going to run through what has happened very recently at the WTPF.
CHRIS BUCKRIDGE: Thank you, Paul. So, what I want to talk about is obviously a report on that what is happening this week and everyone is interested in, ifs the first RIPE meeting we have had since the wicked last year, the world conference on telecommunications, and so I want to give a little bit of background without stepping too much hopefully on Olaf's toes who I know is going to give a more extensive report on that on Friday.
OLAF KOLKMAN: Not ex ten /SEUFPLT
CHRIS BUCKRIDGE: More from RIPE NCC perspective. The goals we had going into that wicket meeting which was very /HAOEUPD and very prominent in the press, was A we were pushing for greater openness and transparency in the processes that were happening around that. We wanted to ensure there would be technical input could be made where appropriate and we wanted to address some of the specific concerns that have been raised, that related to the work we are doing that includes the interconnection models, ex pension of the ?? management of Internet number resources. (WCIT).
What we saw coming out of that and there has been reams obviously written on that in many, many places, but this is just a few of the high level things. We did seat ITU opening up a little bit and some of the documentation being made available for the public. They were baby steps, it's not as open a forum like RIPE but there were step made there to maybe appease some of the criticism being made. We saw obviously very clear disagreements between a lot of the ITU. Member States, including states within the RIPE NCC service region, I think we some of the western European countries versus some of the countries like Russia and some of our Middle East Member States really having very divergent views. We saw that there is a need for the Internet community to really engage public sector stakeholders. Not only in the ITU, really everywhere. What we saw was a lack of that engagement and something that we really need to build on and that is something that as Paul explained we are really trying to work on in the RIPE NCC and to help facilitate our members in dealing with their public sector in their own countries.
We did see obviously the concerning the RIPE community and in many of the Member States about the fact that spam and security were mentioned in the revised ITRs. What we saw, though, was that the ETNO proposal, which was regarding infrastructure payment models really didn't get much traction. It wasn't even really discussed at length there, which is not to say that that issue is going away, it's clearly being discussed in a lot of other forums, the OECD is even looking into this so it's something that will come back but didn't make a major appearance at WICT
So WICT, I think, sets the stage very much for the WTPF and there has been a lot of preparation for that over the last 12 months. There is an informal expert group which met three times over the last 12 months and there have been RIR staff involved in that, Paul Wilson from APNIC and Cathy Handley from ARIN. Out that have informal expert group came the Secretary General's report which is the only input document to the WPTF but includes 6 opinions which have been agreed by consensus on that group on a number of issues.
The RIPE NCC authored and worked with our other RIRs colleagues on a response document to those opinions, particularly the ones which related to our key areas, that as been published on our website and we actually published a draft and then actually revised it based on input from our community, particularly the IXP operators. Then, in this week's WTPF which is still going on today, today is the final day, Paul Wilson spoken on behalf the RIRs in the Opening Plenary and we spoke to the five opinions that we commented on during the sessions.
So, this is where it was held. There were obviously plenty of familiar faces there, mainly from the WCIT, maybe a few others there that I perhaps added myself. And Patrik has stolen my thunder on this, but in some familiar fashions as well, there was a very ?? a surreal moment in the introduction to the event where he put on that peace?keeper helmet.
We are now in the final day of the event and as we saw it, many of the other WTSA and WCIT events, things change very radically sometimes on the final it was an atmosphere really of not wanting this to go the same way that WICT went, I think there was a lot of consciousness on the part of the ITU secretariat themselves but also, more importantly, on the part of the Member States, that WICT had been a very bad luck in terms of not being able to find consensus and put the politics aside and focus on the issues and there was an acknowledgement that expressed by Member States like Australia that had to be rectified. A slightly more cynical take on that the WTPF is not producing anything bind so perhaps this is the forum where you can afford to be a little more magnanimous and making concessions. Some of the other events next year and maybe we see some stronger opinions being expressed.
So, but so what the outcome of that was, is the first four opinions, the first is covering ?? encouraging Internet exchange points, broadband, the third on capacity building in IPv6, and the fourth, on a lot of issues to do with legacy IPv4 address space and registration. Really, went through with minimal he had its to the text that had been agreed by the informal he can /PERTS group and that was not because they are great ?? it was great text to begin with but because there was an acknowledgement that once we open this to up editing anything can happen and they could be a lot worse than they are. I think we were very happy to be able to contribute to that and to get the out /TKHAOPL we got and there was a chance for us there, there were Working Groups that considered each of these, the Working Group that looked at the IPv4 and IPv6 sessions was actually chaired by be rain, which is in our service region and we were really, really able to work quite closely with the Chair from Bahrain there. And I think it's a testament to the relationships we had built up in that region over the past few years that he was so open to what we had to say, he was talking to all of the RIRs and really working with us to achieve that result.
The fifth and sixth opinions on enhanced cooperation and the multi?stakeholder model were a little bit more controversial. Particularly, there had been some countries from countries, including Russia, for some significant changes to that with a really much stronger focus on the role of the states in managing Internet resources of various kinds within their own country.
There was clearly a lot more discussion on that yesterday, but the end result, again, the need to find consensus ruled out in the end and they moved through without any significant changes. So that is also a very positive outcome.
There is one final additional opinion which has been proposed by Brazil on the role of governments. That is currently under discussion so I don't say too much about that other than the direction it seems to be going is that it will be, again, an acceptable proposal to most concerned because there is this need to get consensus on it.
So, yes, that was the ITU.
We can talk about any questions about that later on.
I wanted to move on to another of the major organisations we work with and maybe contrast it a little bit and that's the OECD. So we participate there as part of the Internet technical advisory committee. That was formed in 2008 at a ministerial meeting that the OECD held and it was really formed on the basis of work that APNIC and RIPE NCC did and later, bringing in ISOC and a lot of other members of the technical community, including ICANN. OECD is a more traditional inter?governmental organisation that is inter grating multi?stakeholders methods and it's a model I think works very well with the kind of work that we do. It's not a decision?making body, but it is a really highly influential body in setting the tone and ideas on how policy is made. It overlaps with a lot of the issues that are under discussion in other inter?governmental forums, I mentioned the interconnection mood he will which has been discussed there which came out in the ITU but they really have formalised multi?stake holler input much more effectively and it's an easier organisation for us to work in so we are really very positive about contributing ?? contributing there and encouraging more work to take place there. And so, some examples of that. Is IPv6 and currently, in the process of editing ask a document that APNIC Geoff Huston, Internet state of transition to IPv6.
This, hopefully, will be accepted and published by the end of this year. But what we are really most happy about is to see that it's really sparked an interest in that group for further work on IPv6. And the Czech Republic have expressed interest in funding further work, working with CZ.NIC and we have got Constance from ISOC and Geoff Huston representing the ITAC with the OECD secretariat on how to make even further proposals for studies in this area.
Another study being done at the moment is one on international cables, gateways, back he will and ISPs. This is interesting example because it's the first of a study that is being funded by ITAC and not by a Member State. RIPE NCC, APNIC, Netnod, I think a few others, are contributing funding to this and working with the secretary to actually get this done. And it's an opportunity for us to get our point of view in here and the really key point of view is support for the existing structures that have ?? that exist around IXPs, peering forums, etc. That was something that we tried to get into the IXP opinion in the ITU, maybe more effectively we can put that into OECD.
And finally, this is something a bit more long term, but we are contributing to further work on the for policy making. This is a document that was produced at 2011 high level meeting, which was a period where there was really a flurry of these principles for Internet governance and policy making going around. The OECD one was quite highly publicised one and something that now the US is pushing hard to do further work on that and looking at having a ministerial high level meeting in 2015, 2016 so we are working with them on that.
So finally, and this is to go away and think about or to discuss here, just some open questions. I think how can the RIPE community engage in these discussions? I mentioned at the beginning part of RIPE NCC's remit here is to try and facilitate our members speaking to their own governments and contributing to international organisations, inter?governmental organisations. How can we effectively promote multi?stakeholder Internet governance? What do we expect to happen in the ITU? This is after WTPF, more events next year: The development conference, plententiaries, plus ten; this is ongoing story. What is the role, what do we think the role of the ITU in this should be. And finally, what are the RIPE NCC's priorities here, how are we engaging, in the way our membership feels is the most effective so. That is it. I am sure Paul and I are happy to take any questions but I will hand back to the Chairs.
MARIA HALL: Do we have any questions from the audience?
JIM REID: Just another guy wandered in off the street from somewhere or other. One of the concerns I have about things that happen ITU there is almost like a salami slicing approach to things, workshop done here and distorted to results presented there, the report thing it fed on to other meeting, goes on somewhere else, that gets amplified, this other meeting requires something else which means it gets fed into WICT or WTPF and pretty soon we have got a resolution that is coming out of WTPF, this is something that has to be discussed and put on the agenda and so it goes. And all this grows out of essentially nothing. So I wonder if there is anything more that can be done to try and, maybe not so much stop this kind of craziness, but at least try to channel in the right direction.
CHRIS BUCKRIDGE: I think what you are identifying is definitely correct and it's one of the real challenges for the RIPE NCC in engaging with this ITU stuff, as you said there is things happening really everywhere and they are all interconnected, if you miss out on this meeting then chances are it will produce a document which will come back somewhere else. One of the strategies there obviously is coordinating with the other RIRs, sharing resources to try and be able to cover as much as we can. But I think also, it's not that it's coming out of nothing; I think this is something ?? this is the way the ITU has worked forever. What we are trying to I think identify and get to the heart of, is that it's working this way and it can seem very chaotic but at the root there are concerns that governments have, and some of those concerns maybe seem silly to us and maybe they come out of the lack of information or lack of understanding of what structures exist or how the Internet works and I think that is really what we see our core role here as is in trying to explain and this is why the Internet works as it is, this is the role we think you might productively have here.
JIM REID: Yes I quite agree, Chris, yes there are government concerns and obviously we have to try and do our very best to address them. What seems to be happening, at least from my perspective, seems to be happening, is those concerns are being expressed in strange ways at the ITU and sometimes it's a manifestation of another problem, it's not really clearly articulated and that gets presented as something like we have to have country by country allocation of v6 addresses to sort out some other problem when in actual fact that is not really the problem. It's that educational problem. Something I would like to ask is, it's not so much just what the RIRs are doing collectively but what other other Internet institutions are do, how to operate with ISOC on these kind of issues.
CHRIS BUCKRIDGE: I think we work quite well and closely with ISOC on this. It's something where ISOC perhaps has additional resources and obviously they have an office in Geneva, they can connect a little bit more effective. We are working with organisations like ICANN which has a quite different role in this, in that I think it can be a lightning rod for a lot of controversy in some of these discussions. But I think ?? when I said resource sharing between the RIRs, I think it's also, it's a broader Internet technical community strategy that we need to look at improving.
MARIA HALL: We have a short question.
PAUL RENDEK: I have a very short comment. I understand exactly what you are saying, Jim, and believe me, it took us a very long time to actually get our heads around this whole circus that is around the ITU. But what I can say; what you are actually bringing forward is maybe a comment of something we should try to change. I actually see that as a little bit more of a feature rather than a bug of the ITU because to be honest with you, because it is so complex and there are different arenas where things can come from. It's very easy to put things into areas that probably don't get brought up or don't get as much momentum in maybe the real arena of where decisions are being made and they can be discussed a little further so I am not quite sure if I would really want to change that, my personal opinion. Anyway, that is basically what I want to add. And of course we are working with ISOC and now ICANN is really stepping up in this area as well and we have had some meetings with their regional reps talking about what we can do in this space as well. And basically, I mean, if you look at the ITU, we have literally had to divide all the sections of the study groups amongst the different RIRs colleagues because there could be no way with the resources we have at the RIPE NCC to follow like any or all the different groups. So it's a feature not a bug.
AUDIENCE SPEAKER: Speaking for myself here. I had the chance to read the whole 55 pages of the ITU report from the secretary.
(Applause)
AUDIENCE SPEAKER: It took me almost two days of analysing this transparent English he wrote there. And what I was really surprised was about, was the response of the RIRs, because for me, it was something ?? a little bit like you are in a defence position, and you aren't; you should be more ?? much more confident, because with the actual structure of the Internet, the Internet is a really success story, we have one net over the world, everyone could take part in the development of the network, there is ?? the maximum of multi?stakeholder is existing, everything you change will reduce this. And you should stand there much more confident and not so nice to the others. You should ?? because they are ?? they aren't, if you read this text, in my German lessons in school my teacher said to me, OK, the content should follow the language, and in this text it isn't, because they always talk about multi?stakeholder. We are such transparent and everything, great, but when you read the language, you have to read every passage at least three times to understand what they really want, yeah, and this is not really ?? and they have ?? you have to be so confident because they have to prove and they can't, that if they will get some responsibility, it will be getting better. Why? Yeah. So, each issue they state, either it isn't an issue, for example this multi?languagism; in my family, I have multicultural background and part of my family is connected to Russia, and in Russia we have this TLDs with Cerillic and they say in this document oh, this is such a great problem with multi?language, and I ask all my relatives there, oh there isn't TLD, it's in Cerillic Russian Federation, RF, and nobody uses it. They don't need it. So there is no problem. And this, you have to make transparent for all the world and say there is no problem, yeah, you have to prove this is really a problem. Sorry for taking the time.
CHRIS BUCKRIDGE: Can I just say, I am going to be very brief, I think A, that is absolutely the sort of feedback that we really need from our community, and that we hope to get in presenting here and in publishing things on the website, we need to know what the community feels about how we are engaging. I think the other point is that in terms of being nice and ?? I think it's that the ITU is not the end game or not the only game. In terms of engaging with the ITU the bigger game is our relationship with the individual governments, particularly in our respective service regions, and what we are trying to do is talk to them and find out what their underlying concerns are, as Jim mentioned it's often not clear from ITU publications what those concerns are, things get muddied and politics comes into it, but I think particularly what we have heard from some Member States in our service regions, in Africa, is that they understand the ITU, that is where they feel comfortable. We can't go in there sort of guns blazing and say, this is all wrong. Even if that is what we feel, I think we ?? what they are doing is just trying to get more information trying to understand how they can more and more successfully ex pan the Internet stray in their country, how they can take advantage of all the benefits it offers so it's a matter of not pissing off those governments.
Constance: I think you are make a very, very good work in the things and I am speaking as ?? in my role for the government of the interior from Germany not as de.government. I think we have an important role in this case, so I want to call all governments to bring in your opinion about this case and to bring it in here, and discuss it, and we have to set up a process to call what we want, what do we want, and in my opinion, it is we don't want to change anything, and we want to behaviour the Internet as it is, so we have to find someone in the EU Commission who cares about our needs and nobody is involved in this process, I don't see anyone. So, this is the first step.
In our case, we have to bring up our opinions ?? review for this and advised us where the problems are and where the ideas are to go on, and so we tried ?? we tried to discuss it with each other, but we have to do it in a bigger way, so I want to call all governments, bring you in, please, this is the ?? a resource, we have to do it, to go on with. It's the only one we have in such a way.
MARIA HALL: Thank you very much. That is very true.
(Applause)
Well, there is a lot of things we could say about this and I can add a lot of things and I just want to shortly before we move to the next part, thank you very much, RIPE NCC, for doing a great job that you did, Chris, representing the RIRs and the RIPE NCC in Geneva. I know that from my colleagues, former colleagues I have to say, who was there in Genevieve have a still. We have Andrew Servida,
ANDREA SERVIDA: Good morning to everybody. May I start?
MARIA HALL: Yes.
ANDREA SERVIDA: First of all, I would like to thank Patrik, the Chair, you for inviting me to join you in this meeting. I have been given some instruction to keep my presentation very short, to five to seven minutes, in order to give them room to somebody else to perhaps raise issues that I might not have addressed myself in the presentation and then leave plenty of time for questions and answers. Is this OK?
MARIA HALL: Very good. Thank you very much.
ANDREA SERVIDA: OK. So, I am using my standard presentation for, to address you today, so first of all, I would like to say that I am not going to speak on all the slides because I suspect that the people in the room, in the audience, know very well the presentation, but I would like just I would say to perhaps afford you on those points that I have seen are raising more concern in, I would say stakeholders, that they feel perhaps themselves not to be part of the discussion today.
So first of all, let me clarify what is indeed the scope of the regulation much the scope of the regulation is ?? is about two main things. The two is much recognition of electronic schemes and means that could be used to access on?line services, the access to which requires the additional level of use of electronic identification meanings. This is an extremely important point to clarify because it is not the ambition of the regulation or of the Commission to impose on anybody the use of electronic identification means. And when I say "electronic identification means," I don't necessarily address or cover electronic identity token which could be considered for equivalent to identity card in Member States but we also consider I would say electronic identification means which could be considered equivalent to some sort of citizen cards which are rolled out in Member States for the purpose of ensuring that either citizen or enterprises would be able to access all line services provided at least by public bodies in connection to as I said, prescription ?? requirements that I have said either by low or by administrative practice.
So, bearing in mind the starting point, discover the regulation ?? scope of the regulation is make it possible for European citizen who is provided or who is using already such an electronic identification means and at additional level to have the possibility to access other electronic, I would say, public services which are offered on?line and the access to which may be subject in those Member States where such services are provided, may be subjected to the use of electronic identification means which at additional level where the services are provided do indeed match the same type of needs of and I would say requirements of the national electronic identification means which is in the hands of the user or the citizen in another country. This is extremely important because, I mean, I don't want to anybody leave the room with any sort of doubt that the regulation is either imposing the use of electronic identification means in Member States to; to the contrary, we are fully respecting this in the lit of subsidiarity, the role responsibility for the Member States to decide for their citizen in relation to public services whether or not they may or may not use electronic identification means and if that is the case, what sort of electronic identification means they may or may not use. And this could be either provided by government or public bodies or could be, somehow, electronic identification means which are recognised by governments at the national level, in relation to what is the type of services which is, somehow, associated today as provided for: .
The second part is about trust services same story even different story, I would say in relation to who is indeed that we are addressing there. First of all we are not addressing in general the provisioning of electronic trust services which are somehow provided by public bodies, but the trust service providers are to some extent to be read or to be understood in the context of what are the information society service provider is setting the electronic directive which means providers of services which provide such services for normally for remuneration. And in providing the legal framework in the regulation, we try to overcome what we have seen in the context of electronic signatures to be the real problem of interoperability which didn't indeed, I would say, succeed to be established at the European level. Despite the fact that across Europe, there are islands of very well working, I would say, platforms for the provisioning of electronic signatures and related trust services.
In this respect, as you see here, the least of the trust services that we are addressing there are services, trust services, which are to some extent the ?? the sign board of those services we have seen emerging at the national level in connection to the transposition of the electronic signature directive, either because there were specific needs that were, somehow, addressed or which led, for instance, to quite a number of countries to introduce provisioning in relation to time stamping, or for instance, for convenience in certain countries there was a connection in connection with electronic circuit the introduction, as kind of electronic signatures to be associated to legal person and not to natural person as normal the handwritten signature to which an electronic signature is equivalent is normally associated.
And again, here, the services that we are addressing there are not addressed there in connection to the ?? any sort of willingness or ambitions by the Commission to impose the use of those services. To the contrary, what we want to make sure is that should anybody be willing and be used to, I would say, rely on the use of certain trust services as defining the regulation and I will get back to this point in relation to the electronic identification later on, then the same person whether is indeed a natural person or legal person should be able to rely on such services and to have the provisioning of such services to be recognised not only in the countries where they are established which is normally the case now, but also in other European countries where indeed such services may indeed be used in order to fulfil certain obligations.
I think that is to us extremely important for two reasons: First, because the definition of trust services here is not mentioned what you can find in the, I would say, in the literature or the technical domain as the full set of trust services, but here, the definition of trust services or the scope of the regulation is really very much tailored to what is indeed is on point 2 of these trust, which means that the electronic identification services are not as such consider in the definition or as falling under the definition of electronic trust of services.
I hope that this is indeed, I would say, clear, because for us, the main ?? the starting point for to introduce any sort of legal framework for the legal recognition of electronic identification, is to be built on the sole responsibility for Member States to decide whether or not they want or they may indeed like their citizens to rely on such type of means to access at least electronic public services.
What is indeed that we want to some extent to promote with the regulation? To the contrary to what sometimes is the per sense, we would like really to go towards building the trust and seeing the electronic identifications and not the electronic identity as a kind of tool to build trust in the relations that may indeed be somehow established by parties in the environment, and we believe building trust is to be associated with user empowerment. We have the freedom to decide what to trust, how to trust and even more importantly, what sort of information should indeed be disclosed or shared in order to make it possible a sort of authentication which might be the, I would say, the precondition to access certain services. This is why, to us, the, I would say, the ambition of the legal framework and/or the chapter on electronic identification is not one of establishing a single model of trust. To the contrary, but is one in the development of very ?? approach to electronic identification and of the authentication across borders which should actually be going even more than it is today, toward the provisioning of trust at certain credentials in connection to indeed what is the main purpose of the authentication that as the preliminary step to get access to services.
In connection to trust services of course, I mean, in these slides which I am not talking about where actually explaining or presenting and of course I mean, I suppose that the audience is aware ?? is much more knowledgeable than myself, of what might indeed be the need or the opportunity for certain users or certain parties to rely on certain type of trust services, in connection to what is the lifecycle of electronic transaction, in particular the type of electronic transactions for which we may see that there is indeed a need for legal certainty to be established across some sort of jurisdictions which might not be that harmonised at the moment as we may like them to be.
In connection to electronic identity. I would like just to highlight here that the liability of the Member States is not for all the service provisioning in relation to electronic identification but is only in relation to the ambiguous link between identification data and the, somehow, natural person or legal person to whom such data are connected, which it doesn't mean that for the electronic identification cross?border we do envisage full disclosure. To the contrary, we want to make sure that if the authentication, as it should be, is always ?? in the territory ?? in the country where the provisioning of electronic identification services is indeed, is happening, then there is where the data might be indeed tailored to make the authentication process on the relying party sides to happen /TAZ would be best for the purpose of the transaction.
In relation to electronic trust services of course there has been a lot of discussion about technical ?? technological neutrality. We do have to be reminded that we don't start out of the blue, but we have quite a quite established legal framework in Member States in relation to provisioning of legal signatures and of course, we have tried to make the provisioning of the, of such services to be able to fit in the new framework by making an evolution to be the platform ?? to make the path to be more evolutionary than dis/RUPG in connection to what the regulation is going to establish for the 27 Member States.
However, we also have to admit that sometimes we haven't been able to build, to be really fully technologically neutral even though we have reduced very much the technological bias that we had in the direct phase of 99 on electronic signature. But of course on this point we are happy to hear your views and your suggestions to be even clearer.
Last transparency and then I will give I would say back to the floor to ?? to the Chair, is what the regulation is not, and the regulation is not about introducing I would say electronic identity means. Our starting point is the fact that whether we like it or not that the national level (at the) there is some sort of reliance on electronic identification means to access electronic public services and if this is Monday ?? use of such electronic identification means is required by law or administrative practice, there is no reason why a citizen in a country which is holding such means for the purpose of, I would say, accession such services at the national level should not be able to access on?line services in other countries which, where the use of such type of means is, again, required by law or administrative process.
However, and then I conclude, let's not forget that the legal basis here is not about provisioning of security but is about ? we believe indeed that by making the legal framework to be more predictable in connection to what is indeed not only the provision of technical service but the legal recognition and the known deniability of such services across the 27 Member States, this would perhaps make it possible for more parties to consciously decide what might be the best I would say type of reliance that they may or may not I would say decide to have on such services in connection also to what is indeed the responsibility. On the one hand, of the Member States in relation to electronic identification means, but even more importantly in relation to what is going to be the reliability of trust service providers in connection to the services they are providing. And let me conclude with the statement for trust service provider, there is no intention, there is no provision in the regulation for Member States to take over there any sort of responsibility from those providers at the national level.
So this is to to complete my presentation and there are many more slides in my presentation, which is publically available and it could be distributed to everybody. Thank you very much.
MARIA HALL: Thank you very much, Andrea, for your presentation and I would like to open the floor for questions. I have a few questions myself, actually, because as I understand it, to make some impact on what we are doing in our countries and our organisations.
JIM REID: Concerned EU citizen. I was very alarm by some of these proposals and specifically I would like some information on is the use of these electronic credentials, specifically what I would like reference to is how that data will then be kept, managed and accessed. If I am going to have present some kind of electronic token every time I engage with the State, a record will be kept of that, who gets access to those records, how long are those records going to be kept and what is the potential for misuse of those records?
ANDREA SERVIDA: OK. Thank you for the questions. First of all, as I said, the starting point is that the rolling out of electronic identification means in connection to a possible use of such means at the national level to get access to public services, is indeed falling under the full responsibility of Member States, and in this respect, of course the Member States are to somehow ensure these ?? they are providing identification electronic means directly or recognising the use, or crediting the use of electronic identification means that all ?? all data protection because framework is fully respected, including what might be associated rules for data retention that might be indeed and as you know, I always bit different unfortunately across Member States. So, at the national level it's full responsibility of Member States and nothing changes at this level. On the other hand, for cross?border, of course we are very much supporting the provisioning of some sort of trusted credential that will make it possible for the relying party in another Member State to get access only to the data that would be needed in order to authenticate the prospective user to get access to the service. I will make a example which is not for public SECTOR but is for e?gambling ?? the provider of e?gambling have to meet the very, I would say, very strict regulation in relation to the age of the user, in relation to for certain Member States, where the user is residing, because the provisioning of such a services is territorial. So, if I want to e?gamble in a country, the provider of the e?gambling doesn't need to know that I am a male or 34 or 55; they need to know that I am more than 18 and that I, if that is the case, I am residing or not in the country where they have licensed to provide the information. Now, the issue is, do we have the authentication to make the Member States level to be able to provide only such credential. We hope that we are but that is not the case everywhere. But this is the direction that we have to go.
MARIA HALL: Thank you very much. And we have quite a long line of questions, I think that is good. On the other hand, we have some limited time and so we have to be very, very short, also with the question, please also with the answer. Thank you very much.
AUDIENCE SPEAKER: Patrik, United Kingdom. On I know on slide 7 you said you intend to make use of secondary legislation to ensure technological developments and practice. Could the use of secondary legislation lead to security operational practices that differ from Member State to Member State? And also the application of the strength of cryptographic controls would differ, so on one level you are saying you don't impose technological standards but on another level by leaving it to secondary legislation there could be gaps arising in the implementation of secure practices.
ANDREA SERVIDA: Thank you for the question. The purpose of what we believe is that in view of the practice that is in place now, so this is not coming out of the blue and is not considering I would say, is not to be considered in a vacuum, we consider that the principles in the legislation are the one which are sufficient to make things to happen. However, as you correctly said, for instance, in the electronic identification part, there is certainly a difference across countries in relation to the way in which security is being managed across country and there is a need to look at what is the appropriate level of assurance authentication assurance that has to be considered in order to make electronic identification means to be recognised. However, what is the practice today? The practice and experience today is we have only a limited number of Member States which are worked together in projects and we would like the ?? like to engage as it is because that is compulsive for all Member States, to work together and come forward with what will will be the established common practices which then could be codified as secondary legislation. It is not intention of the Commission to come forward out of the blue without any cooperation with Member States. With secondary legislation, a measure that will codify the practices to ensure interoperability. To the contrary and this is why we made extensive reference to standards in the legislation and implementing are actually there to make reference to existing standards.
AUDIENCE SPEAKER: Just to clarify, are you saying there would be a different approach to, for example, the revocation of cryptographic material across Member States because it's relying on secondary legislation, is that the case?
ANDREA SERVIDA: No, I am not saying, because I mean if you are making the revocation, if you are considering the revocation of cryptographic means in relation to the provisioning of the electronic identity, of course each and every Member State has today has its own practice. What they have to make sure and this is why in the context of electronic identification there is the obligation for Member States to inform everybody else. What the identification is, is about and how the revocation is being managed. But then you know, whether this will bring it to a more harmonised approach that is only to the Member States to decide.
MARIA HALL: Thank you very much. And we have three more questions. Keep it very short, both the question and also the answer. Thank you.
AUDIENCE SPEAKER: I understood that this legislation covers only the EIDs, EU Member States provide for themselves ?? for ?? by their selves. But when I see on the market the EIDs from the States does not ?? do not play such a big role because they are only limited to one country and every company who wants to use EID says why do I have to use such an EID which is only limited to one country and we have from my perspective as EU Member States are getting an EID provider with this and they are in competition to the existing ones, like Google and Amazon and so on, and how do you do you think this is a relationship and how does this legislation ?? regulation cover this?
ANDREA SERVIDA: OK. First of all, it's not true the regulation covers only electronic identification means provided by Member States. It covers all the electronic identification means which are used in Member States to access at least public services, electronic public services and whether these ?? these electronic identification means are provided by the government, for instance it is in Italy, we have reason to identity card or in Germany the card, or provided by ?? but accredited by government in relation to making it possible for user to access public services as it is the case, for instance, in Estonia and in Sweden, bank card, that is up to the Member States and all these type of solutions are ?? what is not covered, what is what we are putting in number 9, is what is indeed the provisioning or what I would say, would call soft ID so. If you are ?? because you mention in Google, is a good, I would say, identity ?? identification means for for their citizens to access public services in that country, that is a decision of the Member States. If the Member States, that Member State then decide to notify that service, OK, it will be up to the mechanic of the other Member States to sue whether they trust the identity to the unambiguous link and the trustworthiness what is transacted in the electronic environment.
AUDIENCE SPEAKER: If the first little municipality, decides to use Google or Amazon ID to make the authentication for a seat in the kindergarten, then they are falling under this legislation, yes?
ANDREA SERVIDA: No, no, that is the second point ?? starting point because the electronic identification scheme should be at least used to access public services. In order to fall under the legislation the government of Germany would have to decide whether that scheme is to be notified in relation to making it possible to the user of that scheme at additional level where indeed it is used to abscess public services, to access electronically public services in other Member States. But that is a decision of the government and not of the provider.
MARIA HALL: Thank you very much.
PATRIK FALSTROM: Can I get slide, the slide with article 5 up there, please, and I think I sent you that. There it is, thank you very much.
So, article 5 says that, talks about any electronic identification means falling under a scheme including the list published by the Commission shall be recognised and accepted."
ANDREA SERVIDA: Yes.
PATRIK FALSTROM: OK. We have also seen on your slides, for example, your slide number 4 on the top, and you have ?? about connection to, for example, providing ?? filing your taxes, for example, and you also talked very explicitly about this covering any kind of trust service that has to do with the ability to assure that you are connecting and communicating with the correct party. Right.
ANDREA SERVIDA: Yes.
PATRIK FALSTROM: When you are talking about these things generically and very he can police Italy said this is not only covering electronic IDs, I must say I am really, really surprised that the Commission specifically and others working with this directive has not been part of the discussions in, for example, the RIPE community related to DNSSEC and RPKI and other mechanisms, which are the actual schemes and trust mechanisms that are counter developed. So, I ask you, how do you see the clash between what is currently developed and in the technical community and the multi?stakeholder process like, for example, RIPE, how is that is ?? how that is to be handled in relation to this legislation or proposed regulation that we see on the table, that I see is absolutely contradiction in terms to what is currently happening on the market? Thank you.
ANDREA SERVIDA: First, thank you Patrik for the question.
Two things: In order to prepare the legislation we have carried out extensive consultation, including a public consultation, we have pushed information to, I would say, I would say the communities that we consider and where, had an interest in what we are doing. Of course I mean, we didn't change each and everybody in Europe because we don't this. On the other hand, I must say that the point that you are raising is to some extent, I would say lean closer to the very difficult areas that is the world of electronic provision and identification means. The least that is made is referred to in article 5 of the regulation, is the least ?? provide schemes and means which are notified by Member States. So if a Member States decide that the provisioning of electronic identification in their country in connection to make it possible for their citizen to access, at least electronic public services is indeed to be, I would say, to cover the provisioning ?? electronic identity provided by Google or Facebook, I don't know what is their decision and if that is the case, the Member States may also decide to notify for their country for those citizens in the country that scheme as a suitable for notification and for recognition across boundaries. However, whether this is going to be I would say, possible, has got to do with security and authentication assurance level and that is where the cooperation with the Member States should take place. So, in this respect, we have not ? shall we are not looking at the way in which the provisioning of electronic identification means in recognised Member States is indeed, happening, we will leave this responsibility as it should be because we don't have legal basis for that, to the Member States. However, once they have taken the step of notifying then that is the least. Of course, I mean we also are fully aware that there is not only such electronic identification means which are flush in the market. This is why I am saying we don't address, today, soft identity provisioning, what makes to be ?? it could be also I would say something that is indeed provided by Facebook, God knows. But the problem is, in connection to the use of this identification to access public services, would that be recognised in my country or the country where I am citizen, yes or no? If the answer is yes then I may be expecting to use also these identity outside my own country. And there is where the least comes about. Everything else that is a connection to the use of soft ID in connection to, I would say, getting trust and building trust in relation, of course I mean, as we said, is not covered by these regulations but in ?? it might be covered as long as such a scheme get notified by a Member State.
MARIA HALL: Thank you very much and I think we need to close this part because we have at least one thing more to go. But thank you very much for your presentation and taking your time from Brussels. Thank you very much.
(Applause)
OK. Actually, I am going to skip my own presentation because I can conclude it in a couple of words when I am going to close this session because now I want to make space for Michele Neylon, talk about public private cooperation and ?? well, according to this previous session I think that is very important.
MICHELE NEYLON: Good morning or, it's now afternoon. I am going to go through this very, very quickly to try and catch us up a little bit because it's now 20 past 12 and this session is meant to finish at half past 12. So, the advantage that I can speak very, very quickly probably works this time around.
Right. I was asked by Patrik about a week?and?a?half or so back to come in and fill in this slot because they felt that RIPE felt it would be good to get the local perspective; when in Ireland get an Irish perspective and in Greece get a Greek perspective; and in Holland a Dutch perspective. So I'm going to try to give you my perspective.
That is a bit about me.
So, welcome to the Irish super information gateway ?? highway. It's wonderful, or is it?
Ireland is one of these wonderful countries where our government says one thing and gets ?? does a very, very good job of getting in all these nice big shiny foreign companies, but yeah, the reality is a little bit different, let's just say.
They mean well.
They talk about the super dooper fast broadband, yet Netflix are now publishing the speeds across all the markets they are in or if you can take a look at the Akamai statistics and the bit around Ireland takes on a kind of interesting like hue. It's not the fastest. I know you can't see that and I wasn't going to try and make you all squint, but I will read out the figures: The higher up figure is about 2.2 megabits. So, the fastest broadband on average that Netflix is about 2.2 megabits. Aren't you really proud of yourselves. We have got all these big e?com companies who have come in. But those of of us who get involved with all the Internet policy governs and get completely freaked out by ITU, WICT, law enforcement, various governments, stuff happening with ICANN, stuff happening everywhere else, we are kind of left a bit out in the cold because Ireland has an awful habit of not turning up. My graphic designer had lots of fun preparing the stuff so.
How many of you are from Irish companies? How many of you are from the Irish Government, semi? States. Niall, you don't really count, you are an academic institution. Okay, you will do. Poor Niall, he is an academic. Nice to see the Irish Government turned up in force.
PATRIK FALSTROM: Are there anywhere from other States?
MICHELE NEYLON: I had been sitting there and watching people going up to the mic. How many people in this room are in some way linked to a government of another European State? In any shape or form? If you contract for them, if you turn up, if you observe for them? Wow. I would say that is impressive, but it's not, it's normal.
Can I go back a couple of slides here. Oh look, all these companies that are based in Ireland and you can see how much the Irish government care about this stuff.
Yeah.
So, what is the kind of stuff, we have had the SOPA Ireland, it's very good for headlines. This is all about digital copyright, online rights. It's still ongoing. I know some of the Irish people this this room have been following that. It's to be determined, to be decided. We might come out the far end of this with something which isn't absolutely abhorrent, or going back to my slide, all these companies might go oh, dear, we are really in the wrong jurisdiction. But we don't know what is going to happen there yet.
IPv6, as this is RIPE. Yeah, these are the main Irish ?? main ISPs serving the Irish market. As of today, unless somebody could correct me, not one of them operate IPv6. Some of them will go and, if you go and beg and government, you might get an IPv6 connection. UPC for example, does my broadband which is a business connection. I asked them again this week and, no, they have no plans. All of them have done tests, but they haven't bothered rolling it out. If you look at Irish Government tenders, they don't even add in a little, you'll get bonus points for including IPv6.
AUDIENCE SPEAKER: Imagine does.
MICHELE NEYLON: Do they? I'll look into that. Niall, come up to the mic and say it. I don't speak UCD.
NIALL O'REILLY: OK. I deserved that one. I don't know about imagine's business customers, for the domestic customers asked to have it done and they have tried to help me but something has fallen back out of the provisioning again or I would have ?? or I would have been able to migrate that ??
MICHELE NEYLON: Answer a simple question, let's do concise: Do you have IPv6 interest your ISP now?
NIALL O'REILLY: No I use 6 SS.
MICHELE NEYLON: Fine. Gentleman don't the bag who I don't recognise since I only go to RIPE meetings now and again.
AUDIENCE SPEAKER: Hello, we are an ISP not on the list, Donal Cunningham from ?? I am so hard to miss. We have provided IPv6 to a government customer based on a tender where they did actually have an IPv6 requirement and then took the shocking step of actually asking for their IPv6 allocation. And we gave it to them. There is hope. Thank you. So there is light at the end of the tunnel. Thank you.
(Applause)
BRIAN NISBET: HEAnet. While I have many problems with many of the things my government does, I do think it is worth pointing out that all hope should mot be lost for certain areas of the government. The Department of Communications and the Department of Education are putting huge amounts of money into broadband provisioning to primary and secondary schools and we are now in the second phase of roll out of 100 meg connectivity, proper symmetric connectivity to all 730 of the secondary school in the country regardless of geographic location and this is a project which HEAnet are the technical leads on but we could not do without the resources and backing of the departments of education and communications, so yes, there is much lacking but there are some people in there who are doing some very useful things and hopefully putting the resources into the education SECTOR.
MICHELE NEYLON: Thanks, Brian. I can go, it's OK. The thing is, I get involved a lot of this stuff and I find it's ?? you are completely isolated. It's great Brian is saying they are doing a things and couple of other companies say there is various connectivity things there. There has been a lot of debate in the Irish media over the last few months about on?line censorship and filtering adult content and they still haven't decided what the hell "adult" is, so my blog might get filtered, which probably wouldn't be a bad thing. I will hand it back to you.
(Applause)
MARIA HALL: Thank you very much. And the stuff that you touched upon and also the previous speakers before actually is touching upon the thing that I wanted to say in my presentation which I now will try to conclude it like in one minute, is that I see even more importance of cooperation and, for instance, the previous speaker before you, the guy Andrea from the European Commission, I know need to go home to my SUNET office and do my homework because this is something that might affect what we are doing. We have a federation called SWAMI, the Swedish EID system that we use for the universities and so on. We have other ?? we have stuff that is going on in the Swedish Government, I know it's happening all around Europe and other parts of our organisations that might be affected by these regulations so why didn't we know about it, I didn't know about it before, I need to go home and talk to my government about this and I think you should do the same. So let's do our homework. And that is why we need to do more cooperation in this kind of area. Thank you. What I would like to say about my new roll as CEO for the Swedish ?? I see role for the NRENs, I see one of you guys here and several of you I met before in my year going to the RIPE meetings, I didn't pay attention that you were NRENs, but now, I am coming and want to reach out to you from my new role. I would also like to see more NRENs actually being active in the Internet governance arena, that is happening in the WTPF in Geneva right now. It's not the end, going to be happening a lot of stuff afterwards, like Jim was saying, a bunch of things happening and it doesn't stop. It's more like a process, it's more like a way of, we need to find a way to engage even more and many of the stuff I see that is happening is of course going to affect SUNET and other NRENs as well, we need to engage together. I don't know exactly how to do it but I would like to do it in my new role that everybody else I am trying to cooperate with before. Let's see what happens and I like to say thank you very much to everybody that has been up on the stage having the speeches, including the guy from the European Commission, that had to come in that ?? well, in that way. Where is the helmet, Patrik?
Anyway, so thank you very much, does Paul want to say something.
PAUL RENDEK: I am happy to see where you have gone, Maria, as you discovered last night, I used to work at Terena, where you are quite interested in right now and I can say that Terena and the academic community is something we are taking a focus on in some of our external relations activities so I am very much looking forward to see how you can work with RIPE NCC in getting you out into this governance arena.
MARIA HALL: I am going to have my first arena meeting in June, in the closing plenary, I am going to talk about these things. Thank you very much, see you soon.